Bug 1374733 (CVE-2016-7551) - CVE-2016-7551 asterisk: RTP Resource Exhaustion
Summary: CVE-2016-7551 asterisk: RTP Resource Exhaustion
Status: CLOSED UPSTREAM
Alias: CVE-2016-7551
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160908,reported=2...
Keywords: Security
Depends On: 1374735 1374734
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-09 13:36 UTC by Martin Prpič
Modified: 2019-07-12 13:04 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-07-12 13:04:21 UTC


Attachments (Terms of Use)

Description Martin Prpič 2016-09-09 13:36:29 UTC
The following flaw was found in Asterisk:

The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up.

Upstream bug:

https://issues.asterisk.org/jira/browse/ASTERISK-26272

External References:

http://downloads.asterisk.org/pub/security/AST-2016-007.html

Comment 1 Martin Prpič 2016-09-09 13:37:02 UTC
Created asterisk tracking bugs for this issue:

Affects: fedora-all [bug 1374734]
Affects: epel-6 [bug 1374735]

Comment 2 Andrej Nemec 2016-09-26 08:14:18 UTC
References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838832

Comment 3 Adam Mariš 2016-10-26 07:16:23 UTC
UPDATE (20 October, 2016):

It has been brought to our attention by Walter Doekes that this same leak can be exploited without the use of the overlap dialing feature. Sending SIP requests in a specific sequence outside the norm could also cause the leak of RTP resources. By sending an in-dialog INVITE after receiving a 404 response (but before sending an ACK), an attacker could cause the same leak to occur.

Comment 4 Jared Smith 2016-10-26 16:49:03 UTC
I'm working with the Digium developers to get systemd support added to dahdi-tools, so that we can unretire dahdi-tools, which is a dependency of Asterisk.  That will allow me to update the Asterisk packages in Fedora/EPEL to the latest version which will close this vulnerability.

Comment 5 Product Security DevOps Team 2019-07-12 13:04:21 UTC
ARRAY(0x558ebd7dae40)


Note You need to log in before you can comment on or make changes to this bug.